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Secure Data Provision Method and Apparatus and 
Data Recovery Method and System. 

5 Field of the Invention 

The present invention relates to a method and apparatus for the provision of target data in 
encrypted form to an accredited professional and to a method and system for recovering the 
target data in clear; in particular, but not exclusively, the present invention relates to such 
methods, system and apparatus involving Identifier-Based Encryption. 

10 

As used herein, reference to a "professional" is a reference to an individual that has certain 
recognised skills that the individual uses in carrying out their job. Such skills may range 
from the skills of a brain surgeon to those of a plumber or the like, without limitation. 

15 Background of the Invention 

Professionals working in the same field frequently belong to a professional body one role 
of which may be to maintain a list of accredited professionals working in the field 
concerned (though not necessarily members of the body); such a role may, indeed, have 
regulatory force. Entry on the list of accredited professionals often requires an individual to 

20 have obtained certain qualifications but will generally also require that the individual has 
not committed any major act detrimental to their clients. Thus the accredited status of a 
professional is not something which once obtained will necessarily continue. 

One field where the professional status of an individual is of particular importance is the 
25 medical field. This field places high demands not only on the skill of the individuals 
concerned but also on maintaining the confidentiality of patient records. It is expected that 
electronic medical records of patients will replace paper records in the near future. The 
update of these records is likely to be the responsibility of the patient's local doctor (that is, 
their "general practitioner" or "GP"). The GP, for the purpose of secure preservation of 
30 patient data, is likely to use a secure data storage service to store the electronic patient 
records. In an emergency situation, in which a patient requires medical care, an attending 
doctor or paramedic (generally, a medical professional) needs to know, as a matter of 
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urgency, the medical history of the patient to prevent giving inappropriate treatments. 
There is therefore a need for the attending medical professional to obtain the patient's 
medical records from the data storage service provider; however, this needs to be done in a 
manner that safeguards the privacy of the records. 

5 Most solutions that have been proposed for dealing with the above situation involve the use 
of a public key infrastructure (PKT) which would need to be created for the medical 
professionals. In such a PKI, a professional body for medical professionals would act as a 
certificate authority providing an accredited medical professional with a certificate 

10 confirming their accreditation and public key. In an emergency situation, the medical 
professional would send a patient identifier together with the professional's own certificate 
to the patient data storage service. This service would verify the validity of the certificate, 
encrypt the patient's records with the medical professional's public key, and return the 
encrypted data to the medical professional. 

15 

One disadvantage of the foregoing arrangement is that it does not distinguish between a 
request from a medical professional carrying out their work in a hospital emergency room 
and a medical professional who just wants to pry into the details of a patient. Another 
disadvantage is the need for the data storage service to keep, or have immediate access to, 
20 an up-to-date certificate revocation list. 

It is an object of the present invention to provide an improved way for professionals to 
access confidential data in a controlled manner that obviates at least some of the problems 
associated with prior systems. It is to be understood that the present invention is not limited 
25 to the provision of sensitive data to medical professionals but is applicable to all types of 
professionals. 

As will explained hereinafter, the preferred embodiments of the invention utilise Identifier- 
Based Encryption (TBE) which is an emerging cryptographic schema. For convenience, this 
30 known schema will next be described with reference to Figure 1 of the accompanying 
drawings. In an IBE schema, a data provider 10 encrypts payload data 13 using an 
encryption key string 14 and public data 15 provided by a trusted authorityl2; the data 
provider 10 then provides the encrypted payload data <13> to a recipient 11 who decrypts 
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it using a decryption key 16 provided by the trusted authority together with the latter's 
public data. The trusted authority's public data is derived by the authority using private 
data 17 and a one-way function 18. Important features of the IBE schema are that any kind 
of string (including a name, a role, etc.) can be used as an encryption key string 14, and 
that the generation of the decryption key 1 6 is effected by the trusted authority (process 1 9) 
using the encryption key string 14 and its private data 17, enabling the generation of the 
decryption key 1 6 to be postponed until needed for decryption. Because the encryption key 
string frequently contains data identifying the intended recipient (for example, by a 
required characteristic), the encryption key string is also known as the identifier string. 

The public data 15 and private data 17 effectively form a base key pair which in any 
particular application is typically only changed infrequently (if at all) as compared to the 
frequency of change of the encryption / decryption key pair 14,16. 

1 5 A number of IBE algorithms are known, one of which is the "Quadratic Residuosity" (QR) V 
method described in the paper: C. Cocks, "An identity based encryption scheme based on- 
quadratic residues", Proceedings of the 8 th IMA International Conference on Cryptography 
and Coding LNCS 2260, pp 360-363, Springer-Verlag, 2001. A brief description of this, 
form of IBE is given below. 

20 

In the QR method, the trusted authority's public data .15 comprises a value N that is a 
product of two random prime numbers p and q, where the values of p and q are the private 
data 17 of the trusted authority 12. The values of p and q should ideally be in the range of 
2 511 and 2 512 and should both satisfy the equation: p,q ^ 3mod4 . However, p and q must 
25 not have the same value. Also provided is a hash function # which when applied to a string 
returns a value in the range 0 to N- 1 . 

Each bit m of the user's payload data 13 is then encrypted as follows: 
- The data provider 10 generates random numbers f + (where t + is an integer in the 
30 range [0, 2 N ]) until a value of t + is found that satisfies the equation jacobi(U,N)=™, 

where m has a value of -1 or 1 depending on whether the corresponding bit of the 



4 

user's data is 0 or 1 respectively. (As is well known, the jacobi function is such that 
where x * =# mo djV the jacobi (#, N) = -1 if x does not exist, and = 1 if x does 
exist). The data provider 10 then computes the value: 
s + =(t++#(encryption_keystring)/t+)modN 
5 where s+ corresponds to the encrypted value of the bit m concerned. 

- Since #(encryption_keystring) may be non-square, the data provider additionally 
generates additional random numbers t_ (integers in the range [0, 2 N )) until one is 
found that satisfies the equation jacobi(t_, N)= m . The data provider 10 then 
10 computes the value: 

s_ = {t.-#{encryption_keystringyt.)mo6N 
as the encrypted value of the bit m concerned. 

The encrypted values s + and s T for each bit m of the user's data are then made available to 
1 5 the intended recipient 1 1 , for example via e-mail or by being placed in a electronic public 
area; the identity of the trusted authority 1 2 and the encryption key string 1 4 will generally 
also be made available in the same way. 

The encryption key string 14 is passed to the trusted authority 12 by any suitable means; for 
20 example, the recipient 1 1 may pass it to the trusted authority or some other route is used - 
indeed, the trusted authority may have initially provided the encryption key string. The 
trusted authority 12 determines the associated private key B by solving the equation : 

B 2 a #{encryption_keystring)mo6N ("positive" solution) 

If a value of B does not exist, then there is a value of B that is satisfied by the equation: 
25 B 2 = -#(encryption_keystring)modN ("negative" solution) 

As N is a product of two prime numbers p, q it would be extremely difficult for any one to 
calculate the decryption key B with only knowledge of the encryption key string and N. 
However, as the trusted authority 1 2 has knowledge of p and q (i.e. two prime numbers) it 
is relatively straightforward for the trusted authority 12 to calculate B. 
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Any change to the encryption key string 14 will result in a decryption key 16 that will not 
decrypt the payload data 13 correctly. Therefore, the intended recipient 1 1 cannot alter the 
encryption key string before supplying it to the trusted authority 12. 

5 The trusted authority 12 sends the decryption key to the data recipient 1 1 along with an 
indication of whether this is the "positive" or "negative" solution for B. 

If the "positive" solution for the decryption key has been provided, the recipient 11 can 
how recover each bit m of the payload data 13 using: 
10 m = jacobi(s++2B,N) 

If the "negative" solution for the decryption key B has been provided, the recipient 1 1 

recovers each bit m using: 

m = jacobi(s-+2B,N) 

1 5 Whilst in the foregoing example, the encryption key string has been used directly in the QR 
IBE algorithm, it is also possible to use in the encryption process a derivative of the 
encryption key string, this derivative being formed, for example, by using a predetermined 
hash function. In this case, the entity generating the decryption key can still simply be 
supplied with the encryption key string provided it knows the predetermined function used 

20 to form the derivative of the encryption key string (in fact, this is equivalent to using a 
variant of stated the QR IBE algorithm in which the predetermined function is applied to 
the encryption key string wherever the latter appears). Where the decryption-key generating 
entity does not need to access the contents of the original encryption key string, then it 
need only be provided with the derivative of the encryption key string used during the 

25 encryption process. In the following description, where the term "encryption key" is used, 
this is intended to refer to the form of the encryption key string used in the stated version of 
IBE algorithm concerned whether this is the unprocessed encryption key string or a 
derivative formed by subjecting the encryption key string to predetermined processing. 
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Other IBE algorithms are known such as the use of Weil or Tate pairings - see, for 
example: D. Boneh, M. Franklin - "Identity-based Encryption from the Weil Pairing" in 
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Advances in Cryptology - CRYPTO 2001, LNCS 2139, pp. 213-229, Springer- Verlag, 
2001 . IBE algorithms based on the Weil or Tate pairings are usually described in terms of 
there being an IBE encryption key that is derived in a predetermined manner from an 
encryption key string (though it would be possible to re-state the algorithms such that the 
5 encryption key string formed the encryption key to be plugged into the algorithm). 

Summary of the Invention 

In general terms, the present invention calls for the recovery of encrypted sensitive data to 
10 require the involvement not only of a first trusted authority competent in respect of the 
accreditation of professionals, but also of an organisation engaging the professional and a 
second trusted authority competent in respect of the accreditation of organisations. 

More particularly, according to a first aspect of the present invention, there is provided a: 
15 method of recovering target data provided in encrypted form to a party as part of a data set: 
with which first and second trusted authorities are associated in a non-subvertible manner, 
the method comprising: 

providing a first element to the party after the first trusted authority has verified that a 
specific individual is a professional accredited with it; 
20 - providing a second element to the party after both the second trusted authority has 
verified that a particular organisation is accredited with it, and said particular 
organisation has verified that said specific individual is engaged by it; and 
the party using both said elements to recover the target data in clear; 
at least one of the particular organisation and the first trusted authority ensuring that its 
25 verification is for said party as said specific individual before providing the corresponding 
element. 

In one embodiment both the particular organisation and the first trusted authority use the 
authenticated identity of the party for the specific individual in respect of which they carry 
30 out their respective verifications. In another embodiment, the data set identifies said 
specific individual and one or both of the particular organisation and the first trusted 
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authority check that the authenticated identity of the party corresponds to the specific 
individual identified in the data set. 

Advantageously, the method involves the use of Identifier-Based Encryption QBE). In one 
5 preferred embodiment, the data set comprises a first item encrypted using a first IBE 
encryption key that identifies said specific individual, and public data of the first trusted 
authority; and a second item encrypted using a second IBE encryption key that identifies a 
specific organisation, and public data of the second trusted authority. In this case, the 
second trusted authority verifies that the said particular organisation is the specific 
10 organisation identified in the second encryption key as well it as being an organisation 
accredited with the second trusted authority. 

The use of the public data of the first and second trusted authorities in encrypting the first 
and second items provides a non-sub vertible link between the data set and the trust 

1 5 authorities as these authorities must be contacted for the corresponding decryption keys. 
However, it may be noted that the data provider may opt to use the same first and second 
encryption keys when encrypting the first and second items of different data sets in which 
case provision can be made for caching of the corresponding decryption keys, thereby 
obviating the need for the trusted authorities to be contacted each time target data is 

20 provided to the party. 

According to a second aspect of the present invention, there is provided a secure data- 
provision method comprising providing target data from a data provider to a party 
purporting to be a specific, professionally-accredited, individual engaged by a specific 
25 accredited organisation, the target data being provided in encrypted form as part of a data 
set that comprises: 

a first item encrypted, according to an Identifier-Based Encryption, IBE, scheme, 
using both a first encryption key that identifies said specific individual, and public 
data of a first trusted authority competent in respect of professional accreditations; 
30 and 
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- a second item encrypted according to an IBE scheme, using both a second encryption 
key that identifies said specific organisation, and public data of a second trusted 
authority competent in respect of accreditations of organisations; 
recovery of the target data in clear requiring decryption of both the first and second items. 

5 

According to a third aspect of the present invention, there is provided a system for 
recovering target data provided in encrypted form to a party as part of a data set with which 
first and second trusted authorities are associated in a non-subvertible manner, the system 
comprising: 

10 - a first computing entity, associated with the first trusted authority, for providing a 
first element to the party after verifying that a specific individual is a professional 
accredited with it; 

a second computing entity associated with the second trusted authority; 
a third computing entity, associated with a particular organisation, for providing a 
1 5 second element to the party after the second computing entity has verified that said 

particular organisation is accredited with it, and the third computing entity has 
verified that said specific individual is engaged by it; and 

a fourth computing entity, associated with said party, for decrypting the target data 
using the first and second elements; 
20 at least one of the first and third computing entities being arranged to ensure that its 
verification is for said party as said specific individual before providing the corresponding 
element to the party. 

According to a fourth aspect of the present invention, there is provided apparatus for the 
25 secure provision of target data to a party purporting to be a specific, professionally- 
accredited, individual engaged by a specific accredited organisation, the apparatus 
comprising an encryption subsystem for generating a data set including the target data in 
encrypted form, the encryption subsystem comprising: 
- first encryption means for encrypting a first item, according to an Identifier-Based 
30 Encryption, IBE, scheme, using both a first encryption key that identifies said 

specific individual, and public data of a first trusted authority competent in respect of 
professional accreditations; 
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- second encryption means for encrypting a second item, according to an IBE scheme, 
using both a second encryption key that identifies said specific organisation, and 
public data of a second trusted authority competent in respect of accreditations of 
organisations; and 

5 - means for forming the data set using at least the encrypted first and second items; 
the recovery of the target data in clear requiring decryption of both the first and second 
items. 

The present invention also envisages user computing devices for use by professionals in 
10 recovering encrypted target data. 



Brief Description of the Drawings 

Embodiments of the invention will now be described, by way of non-limiting example, 
1 5 with reference to the accompanying diagrammatic drawings, in which: 

. Figure 1 is a diagram illustrating the operation of a prior art encryption schema 

known as Identifier-Based Cryptography; 
. Figure 2 is a diagram showing the general arrangement of entities involved in the 
embodiments described with respect to Figures 3 to 8; 
20 . Figure 3 is a diagram of a first specific embodiment of the present invention; 
. Figure 4 is a diagram of a second specific embodiment of the present invention; 
Figure 5 is a diagram of a third specific embodiment of the present invention; 
. Figure 6 is a diagram of a fourth specific embodiment of the present invention; 
. Figure 7 is a diagram of a first variant of the Figure 5 embodiment; and 
25 . Figure 8 is a diagram of a second variant of the Figure 5 embodiment. 

Best Mode of Carrying Ont the Invention 

The embodiments of the invention to be described hereinafter are all placed in a medical 
context with a requesting party only being able to obtain access to a patient record if the 
30 party is a medical professional (for example, a doctor or paramedic) accredited with a 
medical professional trusted authority and engaged by a medical organisation (such as a 
hospital) accredited with a medical organisation trusted authority. However, it is to be 
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understood that these embodiments can also be applied in other fields beyond the medical 
world. 

Figure 2 illustrates the general arrangement of the entities involved in all the embodiments 
5 described below. More particularly, this arrangement comprises a first computing entity 20 
(such as a personal digital assistant) associated with a requesting party wishing to receive a 
• patient record; a second computing entity 30 associated with a patient record storage 
service; a third computing entity 40 associated with a medical professional trusted 
authority competent in respect of the accreditation of medical professionals (that is, trusted 
10 as authoritative concerning the accreditation of such professionals); a fourth computing 
entity 45 associated with a medical organisation trusted authority competent in respect of 
the accreditation of medical organisations; and a fifth computing entity 40 associated with 
a particular medical organisation. The computing entities 20, 30, 40, 45 and 50 are 
typically based around general-purpose processors executing stored programs. The 
15 computing entities 20, 30, 40, 45 and 50 inter-communicate as needed (see arrows 55-58) 
via, for example, the internet or other network though it is also possible that at least some 
of the entities actually reside on the same computing platform. As will be described below, 
at least certain of the inter-entity communications are arranged to take place securely with 
the communicating parties authenticating each other; to this end, the entities are equipped 
20 with suitable communication modules well understood by persons skilled in the art. 

In the following, references to the requesting party, patient record storage service, the 
medical professional trusted authority, the medical organisation trusted authority, and the 
medical organisation are generally used interchangeably with references to their respective 
25 computing entities 20, 30, 40, 45 and 50. Furthermore, for convenience the terms "patient 
record, storage service" and "trusted authority" are abbreviated to "PRSS" and "TA" 
respectively. 

In functional terms, the requesting-party entity 20 comprises a communications module 23 
30 for communicating with the entities 30, 40 and 50, a control module 21 for controlling the 
general operation of the entity20 and for providing a user interface and at least short-term 
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storage, and a cryptographic module 22 for executing certain cryptographic functions that 
vary between the embodiments to be described below. 

The PRSS entity 30 comprises a communications module 34 for communicating with the 
requesting party entity 20 (and possibly also with the entities 40 and 45), a control module 
3 1 for controlling the general operation of the entity 30, a database 32 for holding patient 
records, and a cryptographic module 33 for executing certain cryptographic functions that 
also vary between the embodiments to be described below. 

10 The medical professional TA entity 40 comprises a communications module 44 for 
communicating with the requesting party entity 20 (and possibly also with the entity 30), a 
control module 41 for controlling the general operation of the entity 40, a database 42 for 
holding medical professional accreditation data, and a cryptographic module 43 for 
executing certain cryptographic functions. 

15 

The medical organisation TA entity 45 comprises a communications module 49 for 
communicating with the medical organisation entity 50 (and possibly also with the entity 
30), a control module 46 for controlling the general operation of the entity 45, a database 
47 for holding medical organisation accreditation data, and a cryptographic module 48 for 
20 executing certain cryptographic functions. 

The medical organisation entity 50 comprises a communications module 54 for 
communicating with the requesting party entity 20 and the medical organisation TA 45, a 
control module 5 1 for controlling the general operation of the entity 50, a database 52 for 
25 holding data about medical professionals engaged by the organisation including their data 
access authorisation levels (in particular, whether they are authorised to access patient 
records), and a cryptographic module 53 for executing certain cryptographic functions. 

The specific embodiments now to be described all employ Identifier-Based Cryptography 
30 (in the present case, the QR IBC method) to enable the PRSS entity 30 to specify 
conditions to be met by parties wishing to access patient records provided by the entity 30. 
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More particularly, the TAs 40 and 45 have respective IBE public data Nl and N2 and 
corresponding respective IBE private data plqland p2 } q2 used in forming their public 
data. The PRSS entity 30 knows the public data Nl and N2 of the two TAs (for example, 
as a result of the latter each publishing its public data in a certificate digitally signed using 
5 a locally-held private key of a public/private key pair associated with the trusted authority). 

When the requesting party 20 wants to access a patient record, it makes a request (arrow 
55) to the PRSS entity 30 in which it not only identifies the patient concerned, but also 
identifies both itself (by name or, preferably, by another identifier such as a public key of 
an asymmetric public/private key pair the private key of which is held by the party 20), and 
the medical organisation for which the party 20 is currently working (again, either by name 
or by another identifier such as the public key of an asymmetric public/private key pair the 
private key of which is held by the organisation). 

The PRSS entity 30 responds to the request by the party 20 by encrypting the requested 
patient record (referred to herein as the "target record" or, more generally, the "target 
data") and providing it (arrow 55) to the party 20 as part of a data set that comprises 
encrypted first and second items. The first data-set item is IBE encrypted using the party's 
supplied identity as an IBE encryption key and the public data Nl of the medical 
professional TA 40. The second data-set item is IBE encrypted using the supplied 
organisation identity as an IBE encryption key and the public data N2 of the medical 
organisation TA 45. To recover the target patient record in clear, it is necessary to decrypt 
both the first data-set item and the second data-set item and this requires a first IBE 
decryption key provided by the medical professional TA 40 and a second decryption key 
provided by the medical organisation TA 45. 

As will become apparent hereinafter, the composition of the data set of which the 
encrypted target patient record forms a part varies from embodiment to embodiment as 
does the relationship between the first and second data-set items and the target patient 
record (indeed, in one embodiment, the first data-set item is the target patient record). 
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The party entity 20 on receiving the data set including the encrypted target record, seeks to 
obtain the first decryption key from the medical professional TA 40 and in doing so 
provides the related encryption key to the TA 40. The TA 40 only returns the decryption 
key if it is satisfied that the individual identified in the encryption key is a professional 
5 accredited with it as indicated by the data it holds in its database 42; the TA 40 may also 
require the party to prove that they are this identified individual. In certain embodiments, 
the TA 40 may be arranged to receive, decrypt and return the first data-set item rather than 
providing the first decryption key to the party 20. 

10 The party entity 20 also requests (arrow 57) the second decryption key from the medical 
organisation entity 50, providing the latter with the encryption key that identifies the 
organisation indicated to the PRSS entity by the party 20. The organisation 50, either 
before or after carrying out certain checks to be described, asks (arrow 58) the medical 
organisation TA 45 to provide the second decryption key on the basis of the supplied 

15 encryption key. The TA 45 only supplies the requested key if it is satisfied that the 
requesting organisation is the same organisation as identified in the encryption key and that 
the organisation is accredited with it according to the data held in the database 47. 
Assuming that the TA 45 provides the second decryption key to the organisation 50, and 
provided this entity 50 is satisfied that the party 20 (or, in certain embodiments, the 

20 individual identified by the party to the PRSS entity 30), is engaged by the organisation 
with appropriate data access authority as indicated by data in the database 52, the 
organisation returns (arrow 57) the second decryption key, or the second data-set item 
decrypted using this key, to the party 20. 

25 The final recovery of the target patient record takes place at the party entity 20. This 
recovery is only possible if the party 20 is a medical professional accredited with the 
medical professional TA 40 and is engaged by a medical organisation accredited with the 
medical organisation TA 45 . However, it may be noted that the PRSS entity 30 may use the 
same encryption keys when encrypting the first and second items of data sets associated 

30 with different record requests by the party 20; in this case, the corresponding decryption 
keys may be cached by the entities that carry out IBE decryption, thereby obviating the 
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need for the TAs 40, 45 to be contacted each time a target record is provided to the party 
20. 

So far as the IBE cryptographic processes are concerned, the correspondence between the 
5 entities of Figure 2 and those of Figure 1 will be apparent to persons skilled in the art. 

Specific EBE-based embodiments will now be described with reference to Figures 3 to 8. In 
these Figures, the PRSS entity 30 and the initial request from the party entity to the PRSS 
entity are not depicted and consideration of these embodiments starts with the data set 
1 0 returned by the PRSS entity 30, it being appreciated that this data set has been generated by 
the functional elements 3 1 and 33 of the entity 30 using the data supplied to it in the initial 
request, the TA public data Nl and N2, and the patient record extracted from the database 
32. 

15 Considering first the Figure 3 embodiment, the data set returned by the PRSS entity 30 
comprises: 

- a first IBE encryption key Kl comprising an identification of an individual (the party 
20) purporting to be a medical professional (MP); 

- - a second IBE encryption key K2 comprising an identification of an organization 
20 purported by the party 20 as being an accredited medical organization ("MO") by 
which the party is engaged; 

- an encrypted first item formed by the IBE encryption of the target patient record "PR" 
using the first encryption key Kl and the public data Nl of the medical professional 
TA 40 - this is represented by the expression E<K1 ,N1 ;PR> where Eo denotes that 

25 the element appearing in the brackets after the semi colon has been encrypted using the 

element or elements appearing before the semi colon; 

- an encrypted second item formed by the IBE encryption of the first item using the 
second encryption key K2 and the public data N2 of the medical organization TA 45 - 
this is represented by the expression E<K2,N2; E<K1,N2; PR». 

30 It will be appreciated that the encrypted first item (that is, the second item) does not appear 
explicitly in the data set but only in its further encrypted form as the encrypted second 
item. 
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- The entity 20 now establishes a secure authenticated communication channel 100 with the 
medical professional TA 40 and requests (arrow 60) the EE decryption key K3 
corresponding to ffiE encryption key Kl , this latter being passed in the request to the entity 

5 40. The entity 40 first checks (process 61) that the requesting party, as established by 
authentication when setting up channel 100, is the same as the medical professional (MP) 
identified in the encryption key Kl. If this check is passed, the entity 40 then checks 
(process 62) that the party/MP is accredited as a medical professional with the entity 40. 
The checks 61 and 62 can, in fact, be carried out simultaneously or in reverse order. Only if 
1 0 both these checks are passed does the entity 40 proceed with the generation (process 63) of 
the decryption key K3 by using the encryption key Kl and the private data pi, ql of the 
entity 40. The decryption key K3 is then returned (arrow 64) over the channel 100 to the 
party entity 20. The key K3 could have been generated in advance of, or in parallel with, 
the checks 61 and 62 being carried out - what is important is that the key K3 is not 

1 5 returned until the checks have been passed. 

The entity 20 also establishes a secure authenticated communication channel 101 with the 
medical organization entity 50 and passes it both the IBE encryption key K2 (arrow 65) and 
the encrypted second item (arrow 66). The entity 50 first checks (process 67) that the party 

20 20, authenticated during set up of the channel 101, is an individual engaged by it with 
authority to access patient records. "Engaged" can either be taken as currently engaged 
over a sustained period (for example, of weeks, months, years or for an unspecified 
duration), or be taken to be actually on duty for the organization at the current instance. 
The entity 50 may (or may not) also check that it is the organization identified in the 

25 encryption key K2. If the or each of these checks is passed, the medical organization entity 
50 sets up a secure authenticated communication channel 102 with the medical 
organization TA entity 45 and passes it (arrow 68) the encryption key K2 with a request for 
the corresponding decryption key K4. 



30 The TA entity 45 first checks (process 69) that the requesting organization, as 
authenticated during set up of channel 1 02, is the organization identified in the encryption 
key K2. If this check is passed, the entity 45 then checks (process 70) that the organisation 
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is accredited as a medical organisation with the entity 45. The checks 69 and 70 can be 
carried out simultaneously or in reverse order. Only if both these checks are passed does 
the entity 45 proceed with the generation (process 71) of the decryption key K4 by using 
the encryption key K2 and the private data p2, q2 of the entity 45 . The decryption key K4 is 
then returned (arrow 72) over the channel 102 to the medical organisation entity 50. The 
key K4 could have been generated in advance of, or in parallel with, the checks 69 and 70 
being carried out - what is important is that the key K4 is not returned until the checks 
have been passed. 

On receiving the decryption key K4, the medical organisation entity 50 uses it to decrypt 
(process 73) the encrypted second item. The second item E<K1,N1; PR> is then passed 
back (arrow 74) over the secure channel 101 to the party entity 20. 

The party entity 20 finally recovers the target patient record in clear by using the decryption 
key K3 to decrypt the second item (process 80). 

In the embodiments of Figures 4, 5 and 6 to be described below, the roles of the two TA 
entities 40 and 45 and of the medical organisation entity 50 are substantially the same as 
for the Figure 3 embodiment, namely: 

the medical professional TA entity 40, after carrying out checks 61 and 62, provides 
the party entity 20 with an IBE decryption key K2 for decrypting a first item 
encrypted with a first IBE encryption key Kl, 

the medical organisation TA entity 45, after carrying out checks 69 and 70, provides 
the medical organisation entity 20 with an IBE decryption key K4 for decrypting a 
second item encrypted with a second IBE encryption key K2, and 
the medical organisation entity 50, after carrying out check 67, decrypts the second 
item using the key K4 and returns the decrypted second item to the party entity 20. 
The differences between the embodiments of Figures 3 to 6 lie in the contents of the data 
sets provided by the PRSS entity 30 and how these contents are used to recover the target 
patient record in clear. 
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Considering next the embodiment of Figure 4, in this embodiment the data set provided by 
the PRSS entity 30 comprises: 

- identification of an individual (the party 20) purporting to be a medical professional 
(MP), this identification being that used by the PRSS entity 30, in combination with a 

5 nonce (random number), for a first IBE encryption key Kl ; 

- a second IBE encryption key K2 comprising an identification of an organization 
purported by the party 20 as being an accredited medical organization ("MO") by 
which the party is engaged; 

- an encrypted first item E<K1,N1;PR> formed by the IBE encryption of the target 
1 0 patient data record "PR" using the first encryption key Kl and the public data Nl of the 

medical professional TA 40; 

- an encrypted second item E<K2,N2; Nonce> formed by the IBE encryption of the 
nonce used in the first encryption key Kl , using the second encryption key K2 and the 
public data N2 of the medical organization TA 45. 

1 5 In this embodiment, the party entity 20 first obtains the decrypted second item (the nonce 
used in the encryption key Kl) from the medical organisation entity 50 and then uses this 
nonce, together with the medical professional identifier provided by the PRSS entity 30, to 
re-form (process 81) the encryption key Kl . The re-formed key Kl is passed to the entity 
40 to obtain the corresponding decryption key K3 which is then used to decrypt (process 

20 82) the encrypted first item and recover the target patient record in clear. 

Considering the embodiment of Figure 5, in this embodiment the data set provided by the 
PRSS entity 30 comprises: 

- a first IBE encryption key Kl comprising identification of an individual (the party 20) 
25 purporting to be a medical professional (MP); 

- a second IBE encryption key K2 comprising an identification of an organization 
purported by the party 20 as being an accredited medical organization ("MO") by 
which the party is engaged; 

- the target patient record encrypted using a symmetric key S; 

30 - an encrypted first item E<K1 ,N1 ;A> formed by the IBE encryption of a first part A of 
the symmetric key S using the first encryption key Kl and the public dataNl of the 
medical professional TA 40; 
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- an encrypted second item E<K2,N2; B> formed by the IBE encryption of a second part 
B of the symmetric key S using the second encryption key K2 and the public data N2 of 
the medical organization TA 45. 

In this embodiment, the party entity 20 obtains the decryption key K3 from the medical 
5 professional TA entity 40 and uses it to decrypt (process 83) the encrypted first item to 
provide the first part A of the symmetric key S. The entity 20 also obtains the decrypted 
second item (the second part B of the symmetric key S) from the medical organisation 
entity 50. The party entity 20 then combines A and B (process 84) to re-form the symmetric 
key S which it thereafter uses to decrypt the target patient record (process 85). 

10 

Rather than the symmetric key S being simply split into two parts A and B and re-formed 
by concatenation of A and B, a more complex relationship between S, A and B is preferred 
that avoids disclosure of A or B providing any information about S. By way of example, A 
and B could be created first and then S derived as a hash of A and B, i.e. S=Hash(A,B). An 
15 alternative approach would be to use Shamir's security sharing. 

Considering the embodiment of Figure 6, in this embodiment the data set provided by the 
PRSS entity 30 comprises: 

- a first IBE encryption key Kl comprising identification of an individual (the party 20) 
20 purporting to be a medical professional (MP); 

- a second IBE encryption key K2 comprising an identification of an organization 
purported by the party 20 as being an accredited medical organization ("MO") by 
which the party is engaged; 

- the target patient record encrypted using a first symmetric key S 1 ; 

25 - an encrypted first item E<K1,N1;E<S2;S1>> formed by the IBE encryption of a 
component using the first encryption key Kl and the public data Nl of the medical 
professional TA 40, the component concerned being the first symmetric key SI 
encrypted using a second symmetric key S2; 

- an encrypted second item E<K2,N2; S2> formed by the IBE encryption of the second 
30 symmetric key S2 using the second encryption key K2 and the public data N2 of the 

medical organization TA 45. 
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In this embodiment, the party entity 20 obtains the decryption key K3 from the medical 
professional TA entity 40 and uses it to decrypt (process 86) the encrypted first item to 
provide the component E<S2; Sl>. The entity 20 also obtains the decrypted second item 
(the second symmetric key S2) from the medical organisation entity 50 which it then uses 
to decrypt (process 87) the component E<S2; Sl> and obtain the first symmetric key SI . 
The party entity 20 then uses the first symmetric key SI to decrypt the encrypted target 
patient record (process 88). 

It will be appreciated that the data set provided by the PRSS entity 20 may take many other 
forms without affecting the roles played by the entities 40, 45 and 50. Other variants that 
modify the operation of the entities 40, 45 and 50 are also possible. For example, in the 
embodiments of Figures 3 to 6 if the PRSS entity 30 is arranged to use the same first 
encryption key Kl when encrypting the first items of successive data sets provided to the 
same party (that is, data sets provided in response to successive patient record requests 
from the party 20), it is possible to arrange for the corresponding decryption key K3 to be 
cached by the entity 20 when first obtained from the TA entity 40 for use in decrypting the 
first item of the first of these data sets, and then have the entity 20 re-use this key K3 from 
cache for the other data sets that have their first items encrypted with same encryption key 
as the first item for which the decryption key was obtained. In a similar manner, if the 
PRSS entity 30 uses the same encryption key K2 for encrypting the second items of 
successive data sets, the medical organisation entity 50 can cache the corresponding 
decryption key K4 when first obtained from the TA entity 45 and subsequently use the key 
from cache. Of course, re-use of either decryption key from cache means that the checks 
carried out by the corresponding TA entity are avoided; it is therefore preferable for the 
PRSS entity 30 to limit either the number of times or the.period over which it re-uses the 
same encryption key; for example, the PRSS entity 30 may be arranged to change the first 
encryption key Kl once a month and to change the second encryption key K3 daily. 
Changing an encryption key whilst retaining the identification of the medical professional 
or medical organisation identified in the key is readily done by including a fresh nonce 
each time the key is to be changed; every time a new nonce is included in an encryption, 
the corresponding TA entity 40, 45 must be involved to generate the corresponding 
decryption key thereby resulting in the checks associated with the TA entity to be effected. 
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Of course, the encryption keys Kl and K2 could be changed at every usage; however, this 
may not be desirable where speed of retrieval of a patient record is important as in 
emergency medical situations. 

5 Another variant generally applicable to all the embodiments of Figures 3 to 6 is for the TA 
entity 45, rather than passing the decryption key K3 to the party entity 20, to use this key 
itself to decrypt the encrypted first item and then provide the first item back to the party 
entity 20. Similarly, the TA entity 45, rather than passing the decryption key K4 to the 
organisation entity 50, can use this key itself to decrypt the encrypted second item and then 

1 0 provide the second item back to the organisation entity 20. It is also possible to arrange for 
the medical organisation entity 50 to pass back to the party entity 20 the element it receives 
from the T A entity 45, whether this be the decryption key K4 or the recovered second 
element, without using the element itself. These variants are not, however, preferred and in 
any event the final decryption of the patient record should normally be restricted to being 

1 5 done at the party entity 20. 

Figure 7 shows a further variant here applied to the Figure 5 embodiment but also 
applicable to the embodiments of Figures 3, 4 and 6. In the Figure 7 variant the second 
encryption key K2 comprises not only identification of a medical organisation, but also the 

20 identification of a medical professional contained in the first encryption key Kl. This 
enables the medical organisation entity 50 to check (process 90) that the medical 
professional checked out by the medical professional TA entity 45 is also engaged by the 
organisation 50 with authority to access patient records. Whilst the medical organisation 
entity 50 preferably also checks that the party with which it is communicating is the 

25 medical professional identified in the second encryption key, this is not essential because 
the medical organisation can be sure that only the medical professional identified in the 
encryption keys will be able to receive the first decryption key K3 from the medical 
professional TA entity 40. The role of the medical organisation 50 is thus simply to provide 
the key K4 if the medical professional identified in the first encryption key to the medical 

30 professional TA entity 40 is engaged by an organisation accredited with the medical 
organisation entity 45. Indeed, provision of the key K4 to the party 20 can be done over an 
insecure, unauthenticated, channel 104 as the key K4 will only be of value to a party that 



21 

also possesses the first decryption key K3; provision over a secure channel is, however, 
preferred. 

Figure 8 illustrates another variant applied to the Figure 5 embodiment but also applicable 

5 to the embodiments of Figures 3, 4 and 6. The Figure 8 variant, like that of Figure 7, is 
based on the second encryption key including not only identification of a medical 
organisation, but also identification of the same medical professional as identified in the 
first encryption key. In this variant, the medical organisation entity 50 both checks that the 
party 20 is the medical professional identified in the second encryption key K2 (process 91) 

1 0 and checks that this professional is engaged by the organisation 50 with authority to access 
patient records (process 90). Since the decrypted second item will only be available to the 
party who is the medical professional identified in the encryption keys, the medical 
professional TA entity 40 need only check that the professional identified in the first 
encryption key Kl is accredited with it and return the first decryption key K3 to the 

1 5 requesting party; the TA entity 40 need neither check that the party 20 is the identified 
medical professional nor provide the key K3 in a secure manner (in Figure 8 the entities 20 
and 40 are depicted as communicating via an insecure, unauthenticated, channel 105). Of 
course, in reality communication between the entities 20 and 40 is preferably by a secure 
channel and the entity 40 preferably does check that the party 20 is the professional 

20 identified in the first encryption key. 

It will also be appreciated that many other variants are possible to the above described 
embodiments of the invention. For example, the data set provided by the PRSS entity 30 
need not all be provided to the party 20 but components of it could be passed to the entities 
25 40 and 50 directly for their use. Similarly, since the party entity 20 may well be connected 
to a network run by the medical organisation 50, the latter can be arranged to intercept the 
data set and copy or strip out the components it needs before passing on the data set, or the 
remainder of it, to the party 20. 

30 In the above-described embodiments, no restrictions have been placed on the professional 
or organisation identified by the party to the PRSS entity 30 when requesting a patient 
record. However, the PRSS entity 30 can be arranged to authenticate the party 30 and use 
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the authenticated identity of the party in the first encryption key Kl . Furthermore, the party 
entity 20 can take the form of a trusted computing platform provided by the organisation 50 
and adapted to reliably provide the PRSS entity 30 with the identifications of both the party 
20 and the organisation 50. One suitable form of trusted platform is specified in "TCP A - 
5 Trusted Computing Platform. Alliance Main Specification vl.l" 
www.trastedcomputing.org , 2001 and described in the book "trusted computing platforms 
- tcpa technology in context"; Pearson (editor); Prentice Hall; ISBN 0- 1 3-009220-7". The 
computing entity 50 is, preferably, also a trusted computing platform the status of which is 
verifiable by the TA entity 45 . 

10 

Where the identification of the professional and organisation to the PRSS entity 30 is not 
controlled or checked, then there may be little to be gained by using these identifications in 
the IBE encryption keys in which case the checks carried out by the entities 40, 45 and 50 
are simply that the party 20 itself is a medical professional accredited with the medical 
1 5 professional TA entity 40 and engaged by an organisation 50 which is accredited with the 
medical organisation TA entity 45. 

The present invention is not limited to the QR IBE method used in the above-described 
20 embodiments and other, analogous, cryptographic methods can be used such as IBE 
methods based on Weil or Tate pairings. 

Furthermore, embodiments of the invention based on cryptographic techniques other than 
IBE are also possible. For example, in variant of the Figure 5 embodiment, the PRSS entity 

25 30 encrypts the quantity A and an identifier of a medical professional using a public key of 
a first public/private asymmetric key pair the private key of which is held by the medical 
professional TA entity 40. Similarly, the PRSS entity 30 also encrypts the quantity B and 
an identifier of a medical organisation using a public key of a second public/private 
asymmetric key pair the private key of which is held by the medical organisation TA entity 

30 45. In this case, the TA entities 40 and 45 first use their respective private keys to decrypt 
the data encrypted using their public keys, and then carry out their checks 61 ,62; 69,70 as 
described above for the Figure 5 embodiment before passing the quantities A and B 
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respectively to the party 20 and the medical organisation 50. The organisation 50 passes on 
the quantity B to the party 20 after carrying out its check 67. 

The variants discussed above in relation to the IBE embodiments (including, in particular, 
those of Figures 7 and 8) are generally also applicable to the non-IBE embodiments; for 
example, the encrypted data provided to the TA entities in the example described in the 
foregoing paragraph need not include identifications of a medical professional or medical 
organisation. 
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CLAIMS 

1. A method of recovering target data provided in encrypted form to a party as part of a 
data set with which first and second trusted authorities are associated in a non-subvertible 

5 manner, the method comprising: 

providing a first element to the party after the first trusted authority has verified that a 
specific individual is a professional accredited with it; 

providing a second element to the party after both the second trusted authority has 
verified that a particular organisation is accredited with it, and said particular 
10 organisation has verified that said specific individual is engaged by it; and 

the party using both said elements to recover the target data in clear; 
at least one of the particular organisation and the first trusted authority ensuring that its 
verification is for said party as said specific individual before providing the corresponding 
element. 

15 

2. A method according to claim 1 , wherein said data set comprises an encrypted first item 
decryptable using a first decryption key obtainable from the first trusted authority and an 
encrypted second item decryptable using a second decryption key obtainable from the 
second trusted authority, both items requiring decryption for the target data to be recovered 

20 in clear; the method comprising: 

(a) - providing the party, in a secure manner, with the first element from the first trusted 
authority only if the latter is satisfied that the party is a professional accredited with 
this authority, the first element being one of the first decryption key and the first item 
recovered with this key; 

25 (b) - providing said particular organisation, in a secure manner, with the second 
decryption key, or the second item decrypted with this key, from the second trusted 
authority only if the latter is satisfied that the particular organisation is accredited 
with this authority; 

(c) - providing the party with the second element from said particular organisation only if 
30 the organisation is satisfied that the party is engaged by the organisation with 

authority to access the target data, the second element being one of the second 
decryption key and the second item recovered with this key; and 
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(d) - recovering the target data at the party by using the decrypted first and second items, 
decryption of the target data being effected at the party. 

3. A method according to claim 2, wherein the particular organisation provides its output 
5 to said party in a secure manner. 

4. A method according to claim 1 , wherein said data set comprises an encrypted first item 
decryptable using a first decryption key obtainable from the first trusted authority and an 
encrypted second item decryptable using a second decryption key obtainable from the 

3 second trusted authority, both items requiring decryption for the target data to be recovered 
in clear and the data set identifying said specific individual; the method comprising: 

(a) - providing the party with the first element from the first trusted authority only if the 

latter is satisfied that said specific individual, as identified in the data set, is a 
professional accredited with this authority, the first element being one of the first 
5 decryption key and the first item recovered with this key; 

(b) - providing said particular organisation, in a secure manner, with the second 

decryption key, or the second item decrypted with this key, from the second trusted 
authority only if the latter is satisfied that the organisation is accredited with this 
authority; 

tO (c) - providing the party with the second element, from said particular organisation only if 
the latter is satisfied that said specific individual is engaged by the organisation with 
authority to access the target data, the second element being one of the second 
decryption key and the second item recovered with this key; and 
(d) - recovering the target data at the party by using the decrypted first and second items, 
25 decryption of the target data being effected at the party; 

at least one of the first trusted authority and said particular organisation providing its 
associated element to said party in a secure manner and only after being satisfied that the 
party is the said specific individual identified in the data set. 

30 5. A method according to any one of claims 2 to 4, wherein: 

- the first item has been encrypted, according to an Identifier-Based Encryption, IBE, 
scheme, using a first encryption key that identifies said specific individual, and 
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public data of the first trusted authority; the first decryption key being a key 
generated by the first trusted authority using the first encryption key and private data 
used in forming said public data; and 

the second item has been encrypted, according to an IBE scheme, using a second 
encryption key that identifies a specific organisation, and public data of the second 
trusted authority; the second decryption key being a key generated by the second 
trusted authority using the second encryption key and private data used in forming 
said public data; the second decryption key, or the second item recovered with this 
key, only be provided to said particular organisation upon the second trusted 
authority being satisfied that said particular organisation is the specific organisation 
identified in the second encryption key as well it as being an organisation accredited 
with the second trusted authority. 

6. A method according to claim 5, wherein the first item comprises the target data, and the 
1 5 second item comprises the encrypted first item; the second item being recovered using the 

second decryption key and then being subject to decryption using the first decryption key to 
recover the target data. 

7. A method according to claim 5, wherein the first item comprises the target data, the 
20 second item comprises a nonce, and the first encryption key comprises, in combination, an 

identifier of said specific individual and said nonce; the second item being recovered using 
the second decryption key to provide said nonce which is then combined with the 
identifier of said specific individual to form the first encryption key, this key thereafter 
being provided to the first trusted authority in order to enable the latter to provide the first 
25 decryption key for use at said party to decrypt the first item and thereby recover the target 
data. 

8. A method according to claim 5, wherein the first item comprises first data and the 
second item comprises second data, the data set further comprising said target data 

30 encrypted using a symmetric key that can be formed by using both said first and second 
data; the first and second items being independently recovered to provide the first and 
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second data which are then used at said party to form said symmetric key, this key then 
being used to decrypt the target data. 

9. A method according to claim 5, wherein the data set comprises, in addition to said first 
and second items, said target data encrypted using a first symmetric key, the second item 
comprising a second symmetric key, and the first item comprising the first symmetric key 
encrypted using the second symmetric key; the first and second items being independently 
recovered to provide the encrypted first symmetric key and the second symmetric key, and 
the second symmetric key then being used at said party to decrypt the encrypted first 
symmetric key after which the first symmetric key is used to decrypt the encrypted target 
data. 

10. A method according to claim 5, wherein the party is provided with multiple different 
encrypted target datas in respective data sets, the first item of each data set being encrypted 

15 with a first encryption key that comprises, in addition to identification of said specific 
individual, a random element; the party, in recovering each target data, obtaining from the 
first trusted authority, the corresponding first decryption key or the corresponding first item 
recovered using this key. 

1 1 . A method according to claim 5, wherein the party is provided with multiple different 
encrypted target datas in respective data sets, the first item of each data set being encrypted 
with the same first encryption key; the party, after having obtained the corresponding first 
decryption key from the first trusted authority in the course of recovering the target data of 
one data set, caching the first decryption key and re-using it from cache for recovering the 
target datas of subsequent data sets that have first items encrypted using the same first 
encryption key as that for which the cached first decryption key was obtained. 

12. A method according to claim 5, wherein the party is provided with multiple different 
encrypted target datas in respective data sets, the second item of each data set being 

30 encrypted with a second encryption key that comprises, in addition to identification of said 
specific organisation, a random element; the requesting organisation obtaining from the 
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second trusted authority, for each different second encryption key used, the corresponding 
second decryption key or the corresponding second item recovered using this key. 

13. A method according to claim 5, wherein the party is provided with multiple different 
5 encrypted target datas in respective data sets, the second item of each data set being 

encrypted with the same second encryption key; the requesting organisation after having 
obtained the corresponding second decryption key from the second trusted authority in 
respect of one data set, caching the second decryption key and re-using it from cache for 
subsequent data sets that have second items encrypted using the same second encryption 
10 key as that for which the cached second decryption key was obtained, the requesting 
organisation decrypting the second item itself and passing the recovered second item to 
said party. 

14. A secure data-provision method comprising providing target data from a data provider 
15 to a party purporting to be a specific, professionally-accredited, individual engaged by a 

specific accredited organisation, the target data being provided in encrypted form as part of 
a data set that comprises: 

a first item encrypted, according to an Identifier-Based Encryption, IBE, scheme, 
using both a first encryption key that identifies said specific individual, and public 
20 data of a first trusted authority competent in respect of professional accreditations; 

and 

a second item encrypted according to an IBE scheme, using both a second encryption 
key that identifies said specific organisation, and public data of a second trusted 
authority competent in respect of accreditations of organisations; 
25 recovery of the target data in clear requiring decryption of both the first and second items. 

15. A method according to claim 14, wherein the first item comprises the target data, and 
the second item comprises the encrypted first item. 

30 1 6. A method according to claim 1 4, wherein the first item comprises the target data, and 
the second item comprises a nonce; the first encryption key comprising, in combination, 
an identifier of said specific individual and said nonce. 
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17. A method according to claim 14, wherein the first item comprises first data, and the 
second item comprises second data; the data set further comprising said target data 
encrypted using a' symmetric key that can be formed by using both said first and second 

5 data. 

18. A method according to claim 14, wherein the data set comprises, in addition to said 
first and second items, said target data encrypted using a first symmetric key, the second 
item comprising a second symmetric key, and the first item comprising the first symmetric 

10 key encrypted using the second symmetric key. 

19. A secure data-provision method comprising providing target data from a data provider 
to a party purporting to be a specific, professionally-accredited, individual engaged by a 
specific accredited organisation, the target data being provided in encrypted form as part of 

15 a data set that comprises: 

a first item encrypted using both a first encryption key that identifies said specific 
individual, and public data of a first trusted authority competent in respect of 
professional accreditations; and 

a second item encrypted using both a second encryption key that identifies said 
20 specific organisation, and public data of a second trusted authority competent in 

respect of accreditations of organisations; 
recovery of the target data in clear requiring decryption of both the first and second items. 

20. A system for recovering target data provided in encrypted form to a party as part of a 
25 data set with which first and second trusted authorities are associated in a non-subvertible 

manner, the system comprising: 

a first computing entity, associated with the first trusted authority, for providing a 
first element to the party after verifying that a specific individual is a professional 
accredited with it; 

30 - a second computing entity associated with the second trusted authority; 

a third computing entity, associated with a particular organisation, for providing a 
second element to the party after the second computing entity has verified that said 
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particular organisation is. accredited with it, and the third computing entity has 
verified that said specific individual is engaged by it; and 

a fourth computing entity, associated with said party, for decrypting the target data 

using the first and second elements; 
5 at least one of the first and third computing entities being arranged to ensure that its 
verification is for said party as said specific individual before providing the corresponding 
element to the party. 

21. A system according to claim 20, wherein: 

10 - said data set comprises an encrypted first item decryptable using a first decryption 
key obtainable from the first trusted authority and an encrypted second item 
decryptable using a second decryption key obtainable from the second trusted 
authority, both items requiring decryption for the target data to be recovered in clear; 
the first computing entity is arranged to provide said party, in a secure manner, with 

1 5 the first element only if it is satisfied that the party is a professional accredited with 

the first trusted authority, the first element being one of the first decryption key and 
the first item recovered with this key; 

the second computing entity is arranged to provide said particular organisation, in a 
secure manner, with the second decryption key, or the second item decrypted with 
20 this key, only if it is satisfied that the particular organisation is accredited with the 

second trusted authority; 

the third computing entity is arranged to provide said party with the second element 
only if it is satisfied that the party is engaged by said particular organisation with 
authority to access the target data, the second element being one of the second 
25 decryption key and the second item recovered with this key; and 

the fourth computing entity is arranged to recover the target data by using the 
decrypted first and second items. 

22. A system according to claim 21, wherein the third computing entity is arranged to 
30 provide its output to said party in a secure manner. 



23. A system according to claim 20, wherein: 



said data set comprises an encrypted first item decryptable using a first decryption 
key obtainable from the first trusted authority and an encrypted second item 
decryptable using a second decryption key obtainable from the second trusted 
authority, both items requiring decryption for the target data to be recovered in clear 
and the data set identifying said specific individual; 

the first computing entity is arranged to provide said party with the first element only 
if it is satisfied that said specific individual, as identified in the data set, is a 
professional accredited with the first trusted authority, the first element being one of 
the first decryption key and the first item recovered with this key; 
the second computing entity is arranged to provide said particular organisation, in a 
secure manner, with the second decryption key, or the second item decrypted with 
this key, only if it is satisfied that the organisation is accredited with the second 
trusted authority; 

the third computing entity is arranged to provide the party with the second element 
only if it is satisfied that said specific individual is engaged by the organisation with 
authority to access the target data, the second element being one of the second 
decryption key and the second item recovered with this key; and 
the fourth computing entity is arranged to recovering the target data by using the 
decrypted first and second items; 
at least one of the first and third computing entities being arranged to provide the 
corresponding element to said party in a secure manner and only after being satisfied that 
the party is the said specific individual identified in the data set. 

24. A system according to any one of claims 21 to 23, wherein: 

the first item has been encrypted, according to an Identifier-Based Encryption, IBE, 
scheme, using a first encryption key that identifies said specific individual, and 
public data of the first trusted authority; the first computing entity being arranged to 
generate the first decryption key using the first encryption key and private data used 
in forming said public data; and 

the second item has been encrypted, according to an IBE scheme, using a second 
encryption key that identifies a specific organisation, and public data of the second 
trusted authority; the second computing entity being arranged to generate the second 
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decryption key using the second encryption key and private data used in forming said 
public data, and the second computing entity being further arranged to provide the 
second decryption key, or the second item recovered using this key, to said particular 
organisation upon being satisfied that said particular organisation is the specific 
5 organisation identified in the second encryption key as well it as being an 

organisation accredited with the second trusted authority. 

25. A system according to claim 24, wherein the first item comprises the target data, and 
the second item comprises the encrypted first item; the fourth computing entity being 

10 arranged to: 

recover the second item, if not provided to it in decrypted form by the third 
computing entity, by using the second decryption key obtained from the third 
computing entity, and 

subject the second item to decryption, using the first decryption key obtained from 
1 5 the first computing entity, to recover the target data. 

26. A system according to claim 24, wherein the first item comprises the target data, the 
second item comprises a nonce, and the first encryption key comprises, in combination, an 
identifier of said specific individual and said nonce; the fourth computing entity being 

20 arranged to: 

recover the second item, if not provided to it in decrypted form by the third 
computing entity, by using the second decryption key obtained from the third 
computing entity, 

combine the nonce that formed the second item with the identifier of said specific 
25 individual in order to form the first encryption key, 

provide the first encryption key to the first computing entity to obtain the first 
decryption key, and 

use the first decryption key obtained from the first computing entity to decrypt the 
first item and thereby recover the target data. 

30 

27. A system according to claim 24, wherein the first item comprises first data and the 
second item comprises second data, the data set further comprising said target data 
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encrypted using a symmetric key that can be formed by using both said first and second 
data; the fourth computing entity being arranged to 

recover the first data, if not provided to it in decrypted form by the first computing 

entity, by using the first decryption key obtained from the first computing entity, 
5 - recover the second data, if not provided to it in decrypted form by the third 

computing entity, by using the second decryption key obtained from the third 

computing entity, 

use the first data and the second data to form said symmetric key, and 
use the symmetric key to decrypt the target data. 

10 

28. A system according to claim 24, wherein the data set comprises, in addition to said 
first and second items, said target data encrypted using a first symmetric key, the second 
item comprising a second symmetric key, and the first item comprising the first symmetric 
key encrypted using the second symmetric key; the fourth computing entity being arranged 
15 to: 

recover the first item, if not provided to it in decrypted form by the first computing 
entity, by using the first decryption key obtained from the first computing entity, 
recover the second item, if not provided to it in decrypted form by the third 
computing entity, by using the second decryption key obtained from the third 
20 computing entity, 

use the second symmetric key that formed the second item to decrypt the encrypted 

first symmetric key that formed the first item, and 

use the first symmetric key to decrypt the encrypted target data. 

25 29. Apparatus for the secure provision of target data to a party purporting to be a specific, 
professionally-accredited, individual engaged by a specific accredited organisation, the 
apparatus comprising an encryption subsystem for generating a data set including the target 
data in encrypted form, the encryption subsystem comprising: 

first encryption means for encrypting a first item, according to an Identifier-Based 
30 Encryption, IBE, scheme, using both a first encryption key that identifies said 

specific individual, and public data of a first trusted authority competent in respect of 
professional accreditations; 
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second encryption means for encrypting a second item, according to an IBE scheme, 
using both a second encryption key that identifies said specific organisation, and 
public data of a second trusted authority competent in respect of accreditations of 
organisations; and 

means for forming the data set using at least the encrypted first and second items; 
the recovery of the target data in clear requiring decryption of both the first and second 
items. 

30. Apparatus according to claim 29, wherein the first item comprises the target data, and 
the second item comprises the encrypted first item. 

31. Apparatus according to claim 29, wherein the first item comprises the target data, and 
the second item comprises a nonce; the first encryption key comprising, in combination, 
an identifier of said specific individual and said nonce. 

32. Apparatus according to claim 29, wherein the first item comprises first data, and the 
second item comprises second data; the data set further comprising said target data 
encrypted using a symmetric key that can be formed by using both said first and second 
data. 

33. Apparatus according to claim 29, wherein the data set comprises, in addition to said 
first and second items, said target data encrypted using a first symmetric key, the second 
item comprising a second symmetric key, and the first item comprising the first symmetric 
key encrypted using the second symmetric key. 

34. A computing entity for recovering target data provided in encrypted form as part of an 
data set that comprises first and second encrypted items both of which must be decrypted to 
recover the target data, the first item being encrypted using both a first encryption key that 
identifies a specific individual and first public data, and the second item being encrypted 
using both a second encryption key that identifies a specific organisation, and second 
public data; the entity comprising: 
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first means for requesting either a first decryption key corresponding to the first 
encryption key, or the first item in decrypted form, from a first trusted authority 
which is competent in respect of the accreditation of professionals and holds first 
private data used in deriving the first public data, the first means being arranged to 
provide the first encryption key to the first trusted authority when making its request 
and being further arranged to authenticate the entity with the first trusted authority 
and to receive the first decryption key, or the first item, securely from the first trusted 
authority; 

second means for requesting either a second decryption key corresponding to the 
second encryption key, or the second item in decrypted form, from an organisation 
accredited by a second trusted authority which holds second private data used in 
deriving the second public data, the second means being arranged to provide the 
second encryption key to the organisation when making its request and being further 
arranged to authenticate the entity with the organisation and receive the second 
decryption key, or the second item, from the organisation; 

third means for using the first decryption key, or the first item, provided by the first 
trusted authority and the second decryption key, or the second item, provided by the 
organisation, to recover the target data. 

35. A computing entity according to claim 30, wherein the second means is arranged to 
receive the second decryption key, or the second item, securely from the organisation. 

36. A computing entity for recovering target data provided in encrypted form as part of an 
data set that comprises first and second encrypted items both of which must be decrypted to 
recover the target data, the first item being encrypted using both a first encryption key that 
identifies a specific individual and first public data, and the second item being encrypted 
using both a second encryption key that identifies a specific organisation and said specific 
individual, and second public data; the entity comprising: 

first means for requesting either a first decryption key corresponding to the first 
encryption key, or the first item in decrypted form, from a first trusted authority 
which is competent in respect of the accreditation of professionals and holds first 
private data used in deriving the first public data, the first means being arranged to 
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provide the first encryption key, or the first item, to the first trusted authority when 
making its request; 

- second means for requesting either a second decryption key corresponding to the 
second encryption key, or the second item in decrypted form, from an organisation 

5 accredited by a second trusted authority which holds second private data used in 

deriving the second public data, the second means being arranged to provide the 
second encryption key to the organisation when making its request; and 

- third means for using the first decryption key, or the first item, provided by the first 
trusted authority and the second decryption key, or the second item, provided by the 

10 organisation, to recover the target data; 

at least one of the first means and the second means being arranged to authenticate the 
entity to the first trusted authority or said organisation as the case may be and to receive 
input therefrom in a secure manner. 

15 37. A computing entity according to any one of claims 34 to 36, wherein the first item 
comprises the target data, and the second item comprises the encrypted first item; the third 
means being arranged to: 

- recover the second item, if not provided to the second means in decrypted form by 
the organisation, by using the second decryption key obtained from the organisation 

20 and 

- subject the second item to decryption, using the first decryption key obtained from 
the first trusted authority, to recover the target data. 

38. A computing entity according to any one of claims 34 to 36, wherein the first item 
comprises the target data, the second item comprises a nonce, and the first encryption key 
comprises, in combination, an identifier of said specific individual and said nonce; the 
third means being arranged to: 

- recover the second item, if not provided to the second means in decrypted form by 
the organisation, by using the second decryption key obtained from the organisation, 

- combine the nonce that formed the second item with the identifier of said specific' 
individual in order to form the first encryption key to be provided by the first means 
to the first trusted authority, and 
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use the first decryption key obtained from the first trusted authority to decrypt the 
first item and thereby recover the target data. 



39. A computing entity according to any one of claims 34 to 36, wherein the first item 
5 comprises first data and the second item comprises second data, the data set further 
comprising said target data encrypted using a symmetric key that can be formed by using 
both said first and second data; the third means being arranged to 

recover the first data, if not provided to the first means by the first trusted authority, 
by using the first decryption key obtained from the first trusted authority, 
10 - recover the second data, if not provided to the second means in decrypted form by the 
organisation, by using the second decryption key obtained from the organisation, 
use the first data and the second data to form said symmetric key, and 
use the symmetric key to decrypt the target data. 

15 40. A computing entity according to any one of claims 34 to 36, wherein the data set 
comprises, in addition to said first and second items, said target data encrypted using a first 
symmetric key, the second item comprising a second symmetric key, and the first item 
comprising the first symmetric key encrypted using the second symmetric key; the third 
means being arranged to: 
20 - recover the first item, if not provided to the first means by the first trusted authority, 
by using the first decryption key obtained from the first trusted authority, 
recover the second item, if not provided to the second means in decrypted form by 
the organisation, by using the second decryption key obtained from the organisation, 
use the second symmetric key that formed the second item to decrypt the encrypted 
25 first symmetric key that formed the first item, and 

use the first symmetric key to decrypt the encrypted target data. 
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ABSTRACT 

Secure Data Provision Method and Apparatus and 
Data Recovery Method and System. 

To control access to target data whilst relieving the data provider (30) of policing 
obligations, the data provider (30) provides the target data in encrypted form to a 
requesting party (20) as part of a data set with which first and second trusted authorities 
(40,45) are associated in a non-subvertible manner. Recovery of the target data in clear by 
the party (20) requires the first trusted authority (40) to verify that a specific individual is a 
professional accredited with it, the second trusted authority (45) to verify that a particular 
organisation (50) is accredited with it, the particular organisation (50) to verify that the 
specific individual is engaged by it, and at least one of the particular organisation (50) and 
the first trusted authority (40) to verify that the party (20) is the specific individual. Various 
ways of encrypting the target data are provided, the preferred ways being based on 
Identifier-Based Encryption schemas. 



(Figure 2) 
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